Facebook will never request your password over email

Facebook will never request your password over email

Summary: Facebook says it will ask you to re-enter your password if you try to modify sensitive account information and have been logged in for more than 20 minutes. Anything over e-mail is still a scam.

SHARE:

On Friday, I wrote a story about how Facebook was prompting users for their password when they navigate to Facebook's Update Your Security Information webpage. Users said they were confused why it was happening, and frankly so was I. The prompt was ironic to me because most users get to the webpage from a Facebook ad (Sponsored Story) called "Account Protection" pushed out by Facebook itself to help them improve their account security.

This was very frustrating to me since security experts have been warning users for years not to hand over their password willy-nilly. In my article, I pointed to a Facebook Help Center entry (emphasis mine):

I got an email asking for my Facebook password. Do not respond to the email. Facebook will never request your password, and we advise against providing your login information to anyone under any circumstances.

On Saturday, Facebook got back to me and clarified what was happening. "Our policy here is to ask a user to re-enter their password after 20 minutes has elapsed any time you attempt to modify sensitive account information – e.g. Email, phone #, security question, Page admins etc," a Facebook spokesperson said in a statement. "This check is to make sure the user is still accessing their account, and not another person who has gained access to the device."

I understood, but I wasn't satisfied. I was more annoyed with Facebook's confusing stance. I told them their documentation needed an update. Here's what I wrote:

I have tested this and it appears that the prompt indeed does not occur in the 20-minute timeframe after you login to Facebook. That being said, I have told Facebook I think their documentation needs to be updated to reflect this policy.

On Monday (today), that's what happened. While it looks like a small difference, I think it's an important one. The Facebook Help Center entry (emphasis mine) now says:

I got an email asking for my Facebook password. Do not respond to this email. Facebook will never request your password over email, and we advise against providing your login information to anyone under any circumstances.

I would have preferred for Facebook to disclose the 20-minute time limit, because that's really what was missing from the documentation. I guess Facebook users will simply have to refer to articles like this one for such specific information.

See also:

Topics: Social Enterprise, Collaboration

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion